{
	"id": "2857667e-b614-43dc-93a3-20d261ef9ee1",
	"created_at": "2026-04-06T00:15:45.196674Z",
	"updated_at": "2026-04-10T03:24:29.809222Z",
	"deleted_at": null,
	"sha1_hash": "842cdd85aa6e2693e9a84eade221dc4f53232126",
	"title": "Luna and Black Basta — new ransomware for Windows, Linux and ESXi",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 772842,
	"plain_text": "Luna and Black Basta — new ransomware for Windows, Linux\r\nand ESXi\r\nBy Marc Rivero\r\nPublished: 2022-07-20 · Archived: 2026-04-05 19:56:08 UTC\r\nIntroduction\r\nIn our crimeware reporting service, we analyze the latest crime-related trends we come across. If we look back at\r\nwhat we covered last month, we will see that ransomware (surprise, surprise!) definitely stands out. In this blog\r\npost, we provide several excerpts from last month’s reports on new ransomware strains.\r\nLuna: brand-new ransomware written in Rust\r\nLast month, our Darknet Threat Intelligence active monitoring system notified us of a new advertisement on a\r\ndarknet ransomware forum.\r\nAs one can see from the advertisement, the malware is written in Rust and runs on Windows, Linux and ESXi\r\nsystems. Armed with this knowledge, we went hunting for samples, finding a few via the Kaspersky Security\r\nNetwork (KSN).\r\nCommand line options available in Luna\r\nJudging by the command line options available, Luna is fairly simple. The encryption scheme it uses, however, is\r\nnot so typical, as it involves x25519 and AES, a combination not often encountered in ransomware schemes.\r\nBoth the Linux and ESXi samples are compiled using the same source code with some minor changes from the\r\nWindows version. For example, if the Linux samples are executed without command line arguments, they will not\r\nrun. Instead, they will display available arguments that can be used. The rest of the code has no significant\r\nchanges from the Windows version.\r\nThe advertisement states that Luna only works with Russian-speaking affiliates. Also, the ransom note hardcoded\r\ninside the binary contains spelling mistakes. For example, it says “a little team” instead of “a small team”.\r\nBecause of this, we assume with medium confidence that the actors behind Luna are speakers of Russian. Since\r\nLuna is a freshly discovered group, there is still little data on its victimology, but we at Kaspersky are following\r\nLuna’s activity.\r\nhttps://securelist.com/luna-black-basta-ransomware/106950\r\nPage 1 of 4\n\nLuna confirms the trend for cross-platform ransomware: current ransomware gangs rely heavily on languages like\r\nGolang and Rust. A notable example includes BlackCat and Hive. The languages being platform agnostic, the\r\nransomware written in these can be easily ported from one platform to others, and thus, attacks can target different\r\noperating systems at once. In addition to that, cross-platform languages help to evade static analysis.\r\nBlack Basta\r\nBlack Basta is a relatively new ransomware variant written in C++ which first came to light in February 2022. The\r\nmalware, the infrastructure and the campaign were still in development mode at the time. For example, the victim\r\nblog was not online yet, but the Black Basta website was already available to victims.\r\nBlack Basta supports the command line argument “-forcepath” that is used to encrypt only files in a specified\r\ndirectory. Otherwise, the entire system, with the exception of certain critical directories, is encrypted.\r\nTwo months after the first encounter, in April, the ransomware had grown more mature. New functionality\r\nincluded starting up the system in safe mode before encryption and mimicking Windows Services for persistence\r\nreasons.\r\nThe safe-mode reboot functionality is not something we come across every day, even though it has its advantages.\r\nFor example, some endpoint solutions do not run in safe mode, meaning the ransomware will not be detected and\r\nfiles in the system can be “easily” encrypted. In order to start in safe mode, the ransomware executes the\r\nfollowing commands:\r\nC:\\Windows\\SysNative\\bcdedit /set safeboot networkChanges\r\nC:\\Windows\\System32\\bcdedit /set safeboot networkChanges\r\nEarlier versions of Black Basta contained a different rescue note from the one currently used, which showed\r\nsimilarities to the ransom note used by Conti. This is not as odd as it may seem, because Black Basta was still in\r\ndevelopment mode at the time.\r\nRescue notes comparison\r\nTo ascertain that there was indeed no code overlap between Conti and the earlier versions of Black Basta, we fed a\r\nfew samples to the Kaspersky Threat Attribution Engine (KTAE). Indeed, as shown below, only the strings\r\noverlap. There is thus no overlap in code per se.\r\nhttps://securelist.com/luna-black-basta-ransomware/106950\r\nPage 2 of 4\n\nOverlap with Conti ransomware\r\nBlack Basta for Linux\r\nIn another report we wrote last month, we discussed the Black Basta version for Linux. It was specifically\r\ndesigned to target ESXi systems, but it could be used for general encryption of Linux systems as well, although\r\nthat would be a bit cumbersome.\r\nJust like the version for Windows, the Linux version supports only one command line argument: “-forcepath”.\r\nWhen it is used, only the specified directory is encrypted. If no arguments are given, the “/vmfs/volumes” folder is\r\nencrypted.\r\nThe encryption scheme for this version uses ChaCha20 and multithreading to speed up the encryption process\r\nwith the help of different processors in the system. Given that ESXi environments typically use multiple CPUs to\r\nexecute a VM farm, the malware’s design, including the chosen encryption algorithm, allows the operator to have\r\nthe environment encrypted as soon as possible. Prior to encrypting a file, Black Basta uses the chmod command to\r\nget access to it in the same context as the user level.\r\nBlack Basta targets\r\nAnalysis of the victims posted by the Black Basta group revealed that to date, the group has managed to attack\r\nmore than forty different victims within a very short time it had available. The victim blog showed that various\r\nbusiness sectors were affected including manufacturing, electronics, contractors, etc. Based on our telemetry, we\r\ncould see other hits across Europe, Asia and the United States.\r\nhttps://securelist.com/luna-black-basta-ransomware/106950\r\nPage 3 of 4\n\nConclusion\r\nRansomware remains a big problem for today’s society. As soon as some families come off the stage, others take\r\ntheir place. For this reason, it is important to stay on top of all developments in the ransomware ecosystem, so one\r\ncan take appropriate measures to protect the infrastructure.\r\nA trend, which we also discussed in our previous blog post, is that ESXi systems are increasingly targeted. The\r\naim is to cause as much damage as possible. Luna and Black Basta are no exceptions. We expect that new variants\r\nwill support encryption of VMs by default as well.\r\nFor questions or more information about our crimeware reporting service, please contact\r\ncrimewareintel@kaspersky.com.\r\nSource: https://securelist.com/luna-black-basta-ransomware/106950\r\nhttps://securelist.com/luna-black-basta-ransomware/106950\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/luna-black-basta-ransomware/106950"
	],
	"report_names": [
		"106950"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434545,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/842cdd85aa6e2693e9a84eade221dc4f53232126.pdf",
		"text": "https://archive.orkl.eu/842cdd85aa6e2693e9a84eade221dc4f53232126.txt",
		"img": "https://archive.orkl.eu/842cdd85aa6e2693e9a84eade221dc4f53232126.jpg"
	}
}